Skip to content Accesskey=4Skip to sub-navigation Accesskey=NView our Accessibility Options MIT Information Services and Technology Home About IS&T Contact IS&T Site Map Search Advanced Search
Getting StartedGetting Services by Topic or Alphabetically Getting Help
 

MSI Links

+ General Info

+ Applications

Management

+ Scripts & Group Policy

  -/ Scripts & Batch
    Files

  +~ Group Policy
    Settings

MIT Links

+ Windows Servers

+ Windows

+ Academic Computing

Others

+ External Links

+ Home

Academic Computing Windows Support

acis-windows@mit.edu

x3-1783
 
 

Group Policy Settings

The group policy information on this page is related to settings which we have found useful in the management of our windows machines. There is more information regarding group policy, including the top level domain settings, on this page

Managing Software

The GP Setting to manage software is:
Computer Configuration\Software Settings\Software installation

To deploy an MSI (install a software package):

Select the software installation group policy and right-click on the software listing pane.
Select "New" and then "Package"

Now you can select the MSI file you want to deploy. Afterwards you are asked to select a deployment method:

-- Assigned: preferred for all applications unless they are upgrading an existing package a/or have an associated transform file.

-- Advanced Published or Assigned: for upgrades a/or MSI's with transforms

If you select Assigned, there will be a relatively quick verification check of the MSI and then it will show up in the list.

If you select Advanced Published or Assigned, you will a followup screen where you can set a number of options: The only two most people are concerned with is the "Upgrades" tab and teh "Modifications" tab.

-- Upgrades: You simply select "Add" and choose which application this package is going to upgrade - Generally it is best to choose the "uninstall the existing package, then install the upgrade package" option (default).

-- Modifications: You simply select "Add" and choose the associated *.MST file, the transform which is associated with the MSI that you are adding. It is important that you do not press "OK" until all the transforms that you want to apply have been added, you cannot go back and add more.

Say "OK" and you will now see the software package listed in the software pane. At the next reboot this package will be installed on all of the machines in your container.

To remove an MSI:

Select Software installation and right-click on the software package that you are interested in removing.
Select "All Tasks" and then "Remove". When prompted for the removal method select "Immediately uninstall the software from users and computers" (default).

Say "OK" and you will now see that the software package is removed from the listing. At the next reboot this package will be removed from all of the machines in your containers.

[Back to top]

System Startup/Shutdown Scripts

The GP Settings for Startup/Shutdown scripts are:
Computer Configuration\Windows Settings\Scripts (Startup/Shutdown)\Startup

Computer Configuration\Windows Settings\Scripts (Startup/Shutdown)\Shutdown

Here you simply right click on either Startup or Shutdown and add the script that you want to run. The scripts here are run as the user "SYSTEM" so it should have whatever access it needs to have the script run correctly. The scripts themselves can be batch files or perl scripts.

[Back to top]

User Logon Scripts

The GP Setting for User Logon scripts is:
Computer Configuration\Administrative Templates\System\Run these programs at user logon

To insert a script for user logon you need to right-click on the GP setting and select "Properties". Enable the group policy option, if it isn't already, and then select "Show" to receive a list of scripts that will run when is user is logging on.

The scripts here are run with the permissions of the user logging on so they cannot be used to modify files or do system tasks that a regular user does not have permissions to do. The scripts themselves can be batch files or perl scripts.

[Back to top]

User Logoff Scripts

Within the design of our domain running user logoff scripts was not a possibility as the place where this is listed in Group Policy (under User Configuration) is not utilized. The WinAthena team has created a GP extension which now allows you to run user logoff scripts.

The GP Setting for User Logoff scripts is:
Computer Configuration\Administrative Templates\WinAthena Settings\Logoff Scripts\Run these programs at user logoff

To insert a script for user logoff you need to right-click on the GP setting and select "Properties". Enable the group policy option, if it isn't already, and then select "Show" to receive a list of scripts that will run when is user is logging on.

The scripts here are run with the permissions of the user logging off so they cannot be used to modify files or do system tasks that a regular user does not have permissions to do. The scripts themselves can be batch files or perl scripts.

[Back to top]

Disallowing System Shutdown

There are two group policy settings related to controlling the shutdown of the system, they are:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Allow system to be shut down without having to log on (set to disable)

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignments\Shut down the system (here you should have at least these three accounts - Administrator, SYSTEM and WIN\Domain Admins)

[Back to top]

Setting the Administrator Password

The GP Setting to control the root password is:
Computer Configuration\Administrative Templates\WinAthena Settings\Root Password\Force a well-known Root (Administrator) Password

The documentation for this feature is here

[Back to top]

Setting Up Printers

The documentation related to printing is in this document. You should pay special attention to this section.
If you are planning on utilizing a duplex printer you will need this information from our scripts page.

[Back to top]

Disabling Off-line Files

We have found through experience that disabling Windows off-line files feature in its entirety eliminates a host of potential problems. For example, when this was on people could set to synchronize all of AFS. Since there is no good reason in our environment to use this feature we recommend shutting it off. There is a chance that laptops that may operate in a disconnected state could utilize this feature, however more testing needs to be done.

The GP Setting to disable Off-line files is:
Computer Configuration\Administrative Templates\Network\Offline Files\Enabled (set to disabled)

[Back to top]

Delete cached copies of roaming profiles

The GP Setting to enable the deletion of cached profiles is:
Computer Configuration\Administrative Templates\System\User Profiles\Enabled (set to enabled)

[Back to top]

Log users off when roaming profile fails

We enable this option in most of our installations. Since much of the software and preferences are on the network, a failure to load a roaming profile usually the machine has lost contact with the network. By forcing the users to log off when this happens we save them from experiencing a session where programs may not run correctly and they may lose their data. In our experience, rebooting the machine almost always fixes the inability to obtain the users roaming profile.

The GP Setting to enable logging off users when profiles cannot be loaded is:
Computer Configuration\Administrative Templates\System\User Profiles\Enabled (set to enabled)

[Back to top]
 
MIT Home | Getting Started | Getting Services | Getting Help | About IS&T | Accessibility
Ask a technology question or send a comment about this web page.